Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method to identify and detect zero-day malware applications based on behavioural analysis comprising: identifying different behaviour types consisting of: file read and write operations, started services, loaded classes, sent SMS and phone calls, listing broadcast receivers, cryptography operations performed using system calls; creating an infrastructure to intercept and catch dynamic activities of a running application in offline mode through setting up a virtual machine or a sandbox on a server and hooking predefined system calls or activities; and distributing a dynamic behaviour signature, said signature based on dynamic features, to antivirus engines running on user's mobile devices; scanning and monitoring by said antivirus engines said running application for behaviours of said application once said running application is started; said dynamic behavior signature is created on server side comprising: gathering malware applications belonging to a same malware family from a malware repository; running said malware applications for several times and collecting the activity occurrences in time for each run; creating said dynamic behaviour signature; and storing said dynamic behaviour signature in a database to be distributed to clients; intercepting activities of said application, collecting said activities and comparing with said dynamic behaviour signatures where a comparison between said dynamic signature and actual behaviour is performed based on behaviour type and time of occurrence; determining a similarity ratio for each said dynamic signature; and verdicting a detection of malware for said running application if the similarity ratio is above 90% of a profile where said profile is a dynamic signature of a malware family and said profile is created offline using virtual devices and/or real devices, running modified operating systems, in order to hook application runtime behaviours comprising: determining threshold for acceptable occurrence rate; determining threshold for acceptable time delay; determining threshold for probability of occurrence; and creating by aggregation process said profile for each malware family type.
This invention relates to cybersecurity and addresses the problem of detecting novel, unknown (zero-day) malware applications on mobile devices. The method involves identifying and categorizing various application behaviors, including file operations, service starts, class loading, communication activities (SMS, calls), broadcast receiver listings, and cryptographic system calls. An infrastructure is established on a server to capture the dynamic activities of running applications in an offline environment. This is achieved by setting up virtual machines or sandboxes and hooking specific system calls or activities. A dynamic behavior signature is generated on the server side. This process involves collecting malware samples from the same family, executing them multiple times, and recording their activity occurrences over time. This collected data is used to create the dynamic behavior signature, which is then stored in a database for distribution to antivirus engines on user devices. Antivirus engines on user devices scan and monitor running applications for behaviors that match the distributed dynamic behavior signatures. The signature creation process also involves defining a profile for each malware family. This profile is created offline using virtual or real devices with modified operating systems to hook application runtime behaviors. The profile creation includes determining thresholds for acceptable occurrence rates, time delays, and probabilities of occurrence. When an application is running on a user device, its activities are intercepted and collected. These collected activities are compared against the dynamic behavior signatures. The comparison considers both the behavior type and the time of occurrence. A similarity ratio is calculated for each dynamic
2. The method according to claim 1 , where said dynamic signature for a legitimate application downloaded from application stores is created and malicious re-packaged applications are detected comprising: downloading said legitimate application from application markets and/or Internet; installing said legitimate application by said server into several of said virtual machines and/or said sandboxes, running said application for a predefined period of time and monitoring the behaviours while collecting the activity types and their respective timestamps; collecting and aggregating activity logs and generating said dynamic behaviour signature; saving said dynamic behaviour signature into a signature database of a server application; installing by user an application that presumably is re-packaged and has the same application identifier as the original application; downloading by said client device said re-packaged application from said application market; sending said application identifier to said server; checking by said server if there is said dynamic behaviour signature for the application in said signature database by sending only package information; extracting by server said dynamic behaviour signature and returning said dynamic behaviour signature to said client; monitoring by said client application the runtime behaviour of said application, extracting activities type and times from said application and performing an anomaly detection with regard to said dynamic behaviour signature, which is gathered from said server; concluding that said application contains malicious activities and is said re-packaged malware application if an anomaly is detected.
This invention relates to detecting malicious re-packaged applications by analyzing their dynamic behavior signatures. The problem addressed is the proliferation of re-packaged malware applications that mimic legitimate applications but contain malicious code. These malicious versions often share the same application identifier as the original, making them difficult to distinguish. The method involves creating a dynamic behavior signature for legitimate applications. This is done by downloading the application from official stores or the internet, installing it in multiple virtual machines or sandboxes, and running it for a predefined period. During execution, the system monitors the application's behavior, recording activity types and their timestamps. These logs are aggregated to generate a dynamic behavior signature, which is stored in a server database. When a user installs an application suspected of being re-packaged, the client device downloads the application and sends its identifier to the server. The server checks if a dynamic behavior signature exists for that identifier. If found, the signature is sent back to the client. The client then monitors the application's runtime behavior, comparing it to the stored signature. If anomalies are detected—such as unexpected activities or deviations in timing—the application is flagged as malicious re-packaged malware. This approach ensures that even subtle behavioral differences between legitimate and malicious versions are identified.
3. The method according to claim 1 , where said acceptable occurrence rate is selected as half of total number of runs.
A system and method for monitoring and controlling the occurrence rate of a specific event in a process involves tracking the frequency of the event across multiple runs and comparing it to a predefined acceptable occurrence rate. The method determines whether the event occurs within an acceptable range during each run and adjusts the process parameters if the occurrence rate exceeds the threshold. The acceptable occurrence rate is set as half of the total number of runs, ensuring that the event does not occur too frequently, which could indicate instability or inefficiency in the process. The system may include sensors or data collection modules to detect the event and a control unit to analyze the data and make adjustments. The method is particularly useful in manufacturing, quality control, or any process where maintaining a specific event frequency is critical to performance. By dynamically adjusting the process based on real-time data, the system ensures consistent and reliable operation while minimizing deviations from desired performance metrics.
4. The method according to claim 1 wherein said different behaviour types further consists of incoming/outgoing network data.
This invention relates to a system for analyzing and classifying network data behavior to detect anomalies or security threats. The method involves monitoring network traffic to identify different types of behavior, including incoming and outgoing network data, and comparing these behaviors against predefined patterns or thresholds to determine whether they deviate from expected norms. The system categorizes network data into distinct behavior types, such as data transmission rates, connection patterns, or protocol usage, and applies machine learning or statistical models to assess whether the observed behaviors indicate potential security risks, such as malware activity, unauthorized access, or data exfiltration. By continuously analyzing incoming and outgoing network data, the system can detect unusual or malicious traffic in real time, allowing for proactive security measures. The method may also incorporate historical data to refine detection accuracy and reduce false positives. The invention aims to enhance network security by providing automated, adaptive monitoring of network behavior to identify and mitigate threats efficiently.
5. A method to identify and detect zero-day malware applications based on behavioral analysis comprising: identifying a set of dynamic behavior types of an unknown application, where said set of behavior types is selected from a group consisting of: file read and write operations, started services, loaded classes, sent SMS and phone calls, listing broadcast receivers, cryptography operations performed using system calls; creating an infrastructure to intercept and catch said dynamic activities of running said unknown application in offline mode wherein said infrastructure includes of a computing device comprising a non-transitory computer readable medium storing program instruction that, when executed by a processing unit, cause the processing unit to identify said dynamic behavior signature of said unknown application by running said unknown application on said computing device; monitoring and recording said set of dynamic behaviour types in said non-transitory computer-readable medium of said computing device; aggregating said set of dynamic behaviour types by a predetermined algorithm wherein said predetermined algorithm comprises: determining a threshold for acceptable occurrences rate of said dynamic behavior types and a threshold for the occurrence count of said dynamic behavior types and a threshold for acceptable time delay between each of said set of dynamic behavior types; calculating a mean and as standard deviation of each of said thresholds; determining a threshold for probability of occurrence; creating said profile of said unknown application based on said threshold for probability of occurrence; distributing said dynamic behavior signature to said antivirus engines running on mobile device of user where said dynamic behavior signature is created on server side comprising: gathering malware applications belonging to a same malware family from a malware repository; running said malware applications for several times and collecting the activity occurrences in time for each run; creating said dynamic behaviour signature; and storing said dynamic behaviour signature in a database to be distributed to clients.
This technical summary describes a method for detecting zero-day malware applications through behavioral analysis. The approach focuses on identifying malicious software that has not been previously cataloged by security systems. The method involves analyzing dynamic behaviors of an unknown application, such as file operations, service launches, class loading, SMS/phone call activities, broadcast receiver listings, and cryptographic operations performed via system calls. These behaviors are intercepted and recorded in an offline environment using a computing device equipped with a non-transitory storage medium. The system monitors and logs these activities, then aggregates them using a predefined algorithm. The algorithm determines thresholds for acceptable occurrence rates, counts, and time delays between behaviors, calculates statistical measures like mean and standard deviation, and establishes a probability threshold to generate a behavioral profile of the application. This profile is then distributed to antivirus engines on user devices. The method also includes a server-side process where malware samples from the same family are collected, executed multiple times, and their activities are recorded to create a dynamic behavior signature. This signature is stored in a database for distribution to client devices, enabling real-time detection of zero-day threats based on behavioral patterns.
6. The method to identify and detect zero-day malware applications based on behavioral analysis according to claim 5 wherein said behavior types monitored during execution of said malware applications of the same malware family are presented as an activity map comprising: collecting various samples of said malware applications belonging to the same malware family after multiple different runs of each of said sample; aggregating outputs of sample collecting and extracting common items using data mining and pattern recognition techniques; providing said activity map by said outputs aggregation which is considered as said profile of the malware family or said dynamic behaviour signature.
This technical summary describes a method for identifying and detecting zero-day malware applications through behavioral analysis. The approach focuses on analyzing the dynamic behavior of malware samples belonging to the same family to generate a behavioral profile or signature. The method involves collecting multiple samples of malware applications from the same family after executing each sample in different environments or scenarios. The outputs from these executions are aggregated, and common behavioral patterns are extracted using data mining and pattern recognition techniques. These aggregated outputs form an activity map, which represents the dynamic behavior signature or profile of the malware family. This profile can then be used to detect new instances of malware from the same family, even if they are previously unknown (zero-day threats). The activity map helps in recognizing recurring behaviors, such as system calls, network activity, file modifications, or other actions, that are characteristic of the malware family. By comparing the behavior of new, unclassified applications against this profile, the system can identify potential zero-day threats based on their behavioral similarities to known malware families. This method enhances threat detection by focusing on behavioral patterns rather than static signatures, making it effective against evolving malware variants.
7. The method according to claim 5 , where said acceptable occurrences rate is selected as half of total number of runs.
This invention relates to a method for determining an acceptable occurrences rate in a system that performs repeated runs or operations. The method is designed to address the problem of defining a reliable threshold for acceptable performance in systems where operations are repeated multiple times, such as in manufacturing processes, quality control, or computational tasks. The key challenge is ensuring that the threshold is statistically meaningful and adaptable to varying conditions. The method involves selecting an acceptable occurrences rate based on the total number of runs. Specifically, the acceptable occurrences rate is set to half of the total number of runs. This means that if a system performs 100 runs, the acceptable occurrences rate would be 50. This threshold can be used to evaluate performance, where the number of acceptable outcomes is compared against this rate to determine if the system meets desired standards. The method may be part of a broader system that monitors and adjusts operations to improve efficiency or reliability. By setting the threshold at half the total runs, the method provides a balanced approach that avoids overly strict or lenient criteria, ensuring a practical and adaptable evaluation metric.
8. The method according to claim 5 wherein said set of behavior types is selected from a group consisting of: file read and write operations, started services, loaded classes, sent SMS and phone calls, listing broadcast receivers, cryptography operations performed using system calls, and incoming/outgoing network data.
This invention relates to a method for monitoring and analyzing software behavior on a computing device to detect malicious or unauthorized activities. The method involves tracking a set of behavior types associated with software execution, where these behaviors include file read and write operations, started services, loaded classes, sent SMS and phone calls, listing broadcast receivers, cryptography operations performed using system calls, and incoming/outgoing network data. By monitoring these specific activities, the system can identify patterns indicative of malicious behavior, such as unauthorized data access, suspicious network communications, or cryptographic operations that may be used for malicious purposes. The method enhances security by providing detailed insights into software behavior, allowing for early detection of threats and unauthorized actions. This approach is particularly useful in environments where software integrity and security are critical, such as mobile devices, enterprise systems, or IoT devices. The monitored behaviors are analyzed in real-time or near-real-time to trigger alerts or take corrective actions when anomalies are detected. The system may also log these behaviors for forensic analysis or compliance reporting. By focusing on these specific behavior types, the method ensures comprehensive coverage of potential attack vectors while minimizing false positives.
Unknown
March 31, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.